Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES.

Published byMark Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES."— Presentation transcript:

1 An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES

2 Combine data and/or code from multiple origins to create a new service Web Applications Are commonly implemented in JavaScript

3 Security Vulnerabilities dom Integrator.js Gadget AGadget BGadget C Confidentiality Integrity integrator.html External Code Internal script that combines the external content Solution: Information Flow Control

4 JavaScript Security Leaks Security Leaks due to: 1 Extensible Objects address_table = {}; … register_addr = function(name, addr) { if (!address_table[name]) { address_table[name] = addr; } } register_add(“Jose Santos”, “jose.santos@inria.fr”); POLICY: Addresses are SECRET (H) address_table[“Jose Santos”] leaks Information at level H

5 JavaScript Security Leaks Defining Features of JavaScript 1 Extensible Objects 2 Prototypical Inheritance o1 = {}; o1.p = h ; o2 = {}; o2.__proto__ = o1; o2.p o2.p leaks information at level H

6 JavaScript Security Leaks Defining Features of JavaScript 1 Extensible Objects 2 Prototypical Inheritance 3 Constructs for Checking the Existence of Properties o1 = {}; if (h()) { o1.p = 1 } o1.p o1.p leaks information at level H

7 JavaScript Security Leaks Defining Features of JavaScript 1 Extensible Objects 2 Prototypical Inheritance 3 Constructs for Checking the Existence of Properties 4 Binding of Global Variables x = h ; f = function (x) { return this.x; } l = f(0); l leaks information at level H

8 Information Flow Control Public Outputs Should NOT Depend on Secret Inputs 1 Establish a Lattice of Security Levels 2 Label Variables with Security Levels 3 Label Object Properties with Security Levels 4 Assign a Level to the Domain of Every Object Levels Γ : Variables → Levels Σ : References x Property Names → Levels Σ : References → Levels

9 Attacker Model What can an attacker see? 1 Values of variables labeled with L 2 Values of properties labeled with L 3 The domains of the objects labeled with L

10 Attacker Model What can an attacker see? Memory Low-Proj High-Proj

11 Attacker Model What can an attacker see? o1o1 p 1 H : v 1 p 2 L : v 2 p 3 L : v 3 Low-Projection Domain L : p 1, p 2, p 3 p 2 L : v 2 p 3 L : v 3 Domain L : p 1, p 2, p 3

12 Attacker Model What can an attacker see? o1o1 p 1 H : v 1 p 2 L : v 2 p 3 L : v 3 Low-Projection p 2 L : v 2 p 3 L : v 3 Domain H : p 1, p 2, p 3

13 Security Property When should a program P be allowed to execute? HP 0 LP 0 HP 0 ’ LP 0 ’ LP 0 = LP 0 ’ HP 1 LP 1 HP 1 ’ LP 1 ’ Initial Mems Final Mems Execution of P: LP 1 = LP 1 ’ Divergent Executions Are Assumed NOT To Leak Information

14 Security By Compilation Rewrite a program P as P’ so that: 1 P’ only executes if the execution of P is SECURE 2 The semantics of P’ is contained in the semantics of P

15 Security By Compilation A Recipe for Designing Inlining Transformations: 1 Specify a Monitored Semantics 2 Prove the Monitored Semantics Secure 3 Specify a Program Transformation that Inlines the Monitor 4 Prove the Inlining Transformation Correct

16 Monitored Semantics Execute the Program in the: 1 Real Memory 2 Security Labeling = Abstract Memory r, pc ├ → Current Scope Object Level of the Current Context Initial MemoryVariable Labeling Object LabelingExpression to Evaluate Final MemoryFinal Variable Labeling Final Object Labeling Final ValueLevel of the Expression

17 Monitored Semantics No-Sensitive Upgrades Idea: Visible Resources cannot be updated in invisible contexts High Executions do NOT change the low projection of the memory

18 Monitored Semantics No-Sensitive Upgrades o1 = {}; o1.p = l; if (h()) { o1.p = 0 } Low-Projections p L : l o1 dom L : {p} h() Є {false, 0, null, undefined} o1 dom L : {p} h() Є {false, 0, null, undefined}

19 Monitored Semantics Property Assignment: e 0 [e 1 ] = e 2 r, pc ├ → Evaluate sub-expressions:

20 Monitored Semantics Property Assignment r, pc ├ → Evaluate sub-expressions:

21 Monitored Semantics Property Assignment r, pc ├ → Evaluate sub-expressions:

22 Monitored Semantics Property Assignment r, pc ├ → e 0 → r 0, σ 0, e 1 → m 1, σ 1, e 2 → v 2, σ 2 No-sensitive upgrades: σ 0 ˅ σ 1 ˅ pc ≤ Σ(r 0, m 1 ) if m Є μ 2 (r 0, dom ) σ 0 ˅ σ 1 ˅ pc ≤ Σ(r 0, dom) if m Є μ 2 (r 0, dom )

23 Monitored Semantics Property Assignment r, pc ├ → e 0 → r 0, σ 0, e 1 → m 1, σ 1, e 2 → v 2, σ 2 Memory and Labeling Updates: μ’ = μ 2 [(r 0, m 1 ) → σ 0 ˅ σ 1 ˅ σ 2 ˅ pc ] Σ’ = Σ 2 [(r 0, m 1 ) → σ 0 ˅ σ 1 ˅ σ 2 ˅ pc ]

24 Instrumentation Encode the labelings in the memory Memory μ Labeling Γ, Σ Instrumented Memory μ' S Similarity Relation

25 Instrumentation Pair Up Each Variable with a Shadow Variable that holds its level Variable: x Value: μ(x) Level: Γ(x ) Labeled Memory μ, Γ, Σ Instrumented Memory μ inst Variable: x Shadow Variable: lev x Value: μ inst (x) Level: μ inst ( lev x )

26 Instrumentation Object: o (r o ) Property: p Value: μ( r o )(p) Level: Σ(r o )(p) Labeled Memory μ, Γ, Σ Instrumented Memory μ inst Object: o (r o ) Property: p Shadow Property: lev p Value: μ inst ( r o )(p) Level: μ inst ( r o ) ( lev p ) Pair Up Each Property with a Shadow Property that holds its level

27 Instrumenting Objects p: v p q: v q s: v s o Σ(o) p: σ p q: σ q s: σ s domain: σ dom S p: v p q: v q s: v s lev_p: σ p lev_q: σ q lev_dom: σ dom o’ lev_s: σ s

28 Instrumentation Encode the labelings in the memory μΓ, Σ μiμi S μ'μ' Γ’, Σ’ μi'μi' Monitored Execution of P Execution of P’ S Comp(P) = P’

29 Compiler Specification Comp(e) = 1 e’ simulates the execution of e in the monitored semantics 2 x bookkeeps the value to which e evaluates 3 l bookkeeps the level of e

30 Compiler Specification Property Assignment: e 0 [e 1 ] = e 2 Comp(e 0 ) = Compile SubExpressions: Comp(e 1 ) = Comp(e 2 ) =

31 Compiler Specification Property Assignment: e 0 [e 1 ] = e 2 Comp(e i ) = i = 0,1,2 Constraint: if (x 1 Є dom( x 0 )) { check( l 0 ˅ l 1 ˅ pc ≤ x 0 [shadow(x 1 )]) } else { check( l 0 ˅ l 1 ˅ pc ≤ x 0 [“lev_dom”]) }

32 Compiler Specification Property Assignment: e 0 [e 1 ] = e 2 Comp(e i ) = i = 0,1,2 Comp(e 0 [e 1 ] = e 2 ) = e 0 ’; e 1 ’; e 2 ’ Constraint x 0 [x 1 ] = x 2 ; x 0 [shadow(x 1 )] = l 0 ˅ l 1 ˅ l 2

33 Conclusions In Summary: 1 An information flow monitor for a a core of JavaScript 2 A program transformation that inlines the monitor 3 A prototype implementation

34 Thank you!

Download ppt "An Information Flow Inlining Compiler for a Core of JavaScript José Fragoso Santos Tamara Rezk Equipe Project INDES."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.

Security of Multithreaded Programs by Compilation Tamara Rezk INDES Project, INRIA Sophia Antipolis Mediterranee Joint work with Gilles Barthe, Alejandro.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Intermediate Code Generation

Intermediate Code Generation
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Chapter 9 Subprograms Specification: name, signature, actions Signature: number and types of input arguments, number and types of output results –Book.

Chapter 9 Subprograms Specification: name, signature, actions Signature: number and types of input arguments, number and types of output results –Book.
Subprogram Control - Data sharing Mechanisms to exchange data Arguments - data objects sent to a subprogram to be processed. Obtained through  parameters.

Subprogram Control - Data sharing Mechanisms to exchange data Arguments - data objects sent to a subprogram to be processed. Obtained through  parameters.
Chapter 7: User-Defined Functions II

Chapter 7: User-Defined Functions II
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.

Mashup Security by Compilation Tamara Rezk These slides discuss joint work with Zhengqin Luo and Jose Santos February 22 nd, 2013.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Improving code generation. Better code generation requires greater context Over expressions: optimal ordering of subtrees Over basic blocks: Common subexpression.

Improving code generation. Better code generation requires greater context Over expressions: optimal ordering of subtrees Over basic blocks: Common subexpression.
Programming Languages Structure

Programming Languages Structure

Similar presentations

Ads by Google